Dot Net Code Snippets

To use like operator using parametrized Queries suppose if we use the like ie: wild character "%" directly through the query.

There may be attach of Sql Injection - so we have to avoid.

Here is the sample code.

// 1 . using "Like" operator with plus sign in query :

string command = "Select Name from UsersTable1 where Name Like '%'+ @Name + '%' ";

SqlCommand cmd = new SqlCommand(command);

cmd.Parameters.AddWithValue("@Name", textBox1.Text);

// 2. using percentage sign when parameter assignments :

string command = "Select UserName from UsersTable2 where UserName Like @UserName";

SqlCommand cmd = new SqlCommand(command);

cmd.Parameters.AddWithValue("@UserName", string.Format("%{0}%", textBox1.Text));